From 62aedf408bd66d9524102f536a080d0ee1357349 Mon Sep 17 00:00:00 2001 From: Alexander Early Date: Wed, 27 Oct 2021 20:12:46 -0700 Subject: [PATCH] Fix prototype pollution vulnerability (cherry picked from commit e1ecdbf79264f9ab488c7799f4c76996d5dca66d) Conflicts: lib/internal/iterator.js test/mapValues.js NOTE(mriedem): The conflicts are due to: - e4751178540a3c6e64598b93977481ec599704d2 for iterator.js; resolution was trivial - bd86f42a7d71552d9a502b50235ffc090a1b4a98 for mapValues.js; resolution was just copying the test change into the old test file before it was moved This is a 2.x series backport for https://nvd.nist.gov/vuln/detail/CVE-2021-43138. --- lib/internal/iterator.js | 3 +++ mocha_test/mapValues.js | 11 +++++++++++ 2 files changed, 14 insertions(+) diff --git a/lib/internal/iterator.js b/lib/internal/iterator.js index 15c6fddb4..24056effd 100644 --- a/lib/internal/iterator.js +++ b/lib/internal/iterator.js @@ -27,6 +27,9 @@ function createObjectIterator(obj) { var len = okeys.length; return function next() { var key = okeys[++i]; + if (key === '__proto__') { + return next(); + } return i < len ? {value: obj[key], key: key} : null; }; } diff --git a/mocha_test/mapValues.js b/mocha_test/mapValues.js index 612feffcb..640060ffd 100644 --- a/mocha_test/mapValues.js +++ b/mocha_test/mapValues.js @@ -39,6 +39,17 @@ describe('mapValues', function () { done(); }); }); + + it('prototype pollution', (done) => { + var input = JSON.parse('{"a": 1, "b": 2, "__proto__": { "exploit": true }}'); + + async.mapValues(input, (val, key, next) => { + next(null, val) + }, (err, result) => { + expect(result.exploit).to.equal(undefined) + done(err); + }) + }) }); context('mapValues', function () {